App needs permission to access resources in your organisation that only an admin can grant

9
votes

We have created a converged application for a public community(AD & live users can login) using Microsoft Graph and the scopes openid, email, profile and user.readBasic.all.

Every thing works fine for live users but some of AD users are not able to login. When they try to login they get the message as

"App needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it."

as per Microsoft document we have prepared admin consent url as

https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent

After admin consent also users are not able to login to the app. Please help us what we are missing here.

1
azure-active-directorymicrosoft-graph-api

1 Answers

5
votes

Your URL is for the v1 Endpoint, not the v2 Endpoint (aka converged endpoint).

It should look like this (line break for readability):

https://login.microsoftonline.com/common/adminconsent?
client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]

Note that is it /adminconsent rather than /authorize and there isn't a prompt query parameter. Also keep in mind that you'll need to ensure your registration includes the scopes you want the consent for.

I've written an article that walks you through the entire process that should prove helpful here: v2 Endpoint and Admin Consent